Privacy policy
Last updated: January 7, 2026
With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as "data") we process for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").
The terms used are not gender-specific.
We process users' data to be able to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or end device.
Provision of online offer on rented storage space: To provide our online offer, we use storage space, computing capacity, and software that we rent from a corresponding server provider (also called "web hoster") or otherwise obtain; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Collection of access data and log files: Access to our online offer is logged in the form of so-called "server log files." Server log files may include the address and name of the accessed websites and files, date and time of access, data volumes transmitted, message about successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files can be used on the one hand for security purposes, e.g., to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks), and on the other hand to ensure server load and stability; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes are excluded from deletion until the respective incident is finally clarified.
Further notes on processing processes, procedures, and services:
Hetzner: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.hetzner.com; Privacy policy: https://www.hetzner.com/de/rechtliches/datenschutz. Data processing agreement: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.
ipapi.co (Geolocation): To determine the user's location (country) for displaying the correct currency, we use the ipapi.co service. The user's IP address is transmitted to this service; Service provider: Kloudend, Inc., USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://ipapi.co; Privacy policy: https://ipapi.co/privacy/.
The term "Cookies" refers to functions that store and read information on users' end devices. Cookies can also be used for different purposes, such as for functionality, security, and convenience of online offers as well as for creating analyses of visitor flows. We use cookies in accordance with legal requirements. If necessary, we obtain the consent of users in advance. If consent is not necessary, we rely on our legitimate interests. This applies when storing and reading information is essential to provide explicitly requested content and functions. This includes, for example, storing settings and ensuring the functionality and security of our online offer. Consent can be revoked at any time. We clearly inform about its scope and which cookies are used.
Storage duration: With regard to storage duration, the following types of cookies are distinguished:
Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offer and closes their end device (e.g., browser or mobile application).
Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be stored and preferred content can be displayed directly when the user visits a website again. Similarly, user data collected with the help of cookies can be used for reach measurement. If we do not provide users with explicit information about the type and storage duration of cookies (e.g., in the context of obtaining consent), they should assume that these are permanent and the storage duration can be up to two years.
Processing of cookie data based on consent: We use a consent management solution in which users' consent to the use of cookies or to the procedures and providers mentioned in the context of the consent management solution is obtained. This procedure serves to obtain, log, manage, and revoke consents, in particular with regard to the use of cookies and similar technologies used to store, read, and process information on users' end devices. As part of this procedure, users' consents for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management procedure, are obtained. Users also have the option to manage and revoke their consents. Consent declarations are stored to avoid repeated queries and to be able to provide proof of consent in accordance with legal requirements. Storage takes place server-side and/or in a cookie (so-called opt-in cookie) or using similar technologies to be able to assign consent to a specific user or their device; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
General notes on revocation and objection (opt-out): Users can revoke the consents they have given at any time and also declare an objection to processing in accordance with legal requirements, including via the privacy settings of their browser.
Web analytics (also referred to as "reach measurement") serves to evaluate visitor flows to our online offer and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognize at what time our online offer or its functions or content are used most frequently, or invite reuse. We can also identify which areas need optimization.
In addition to web analytics, we can also use testing procedures to test and optimize different versions of our online offer or its components.
Unless otherwise specified below, profiles may be created for these purposes, i.e., data summarized for a usage process, and information may be stored and read in a browser or on an end device. The information collected includes in particular visited websites and elements used there, as well as technical information, such as the browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data from us or from the providers of the services we use, the processing of location data is also possible.
In addition, users' IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear data of users (such as email addresses or names) are stored in the context of web analytics, A/B testing, and optimization, but pseudonyms. This means that we as well as the providers of the software used do not know the actual identity of users, but only the information stored in their profiles for the purpose of the respective procedures.
Notes on legal basis: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.
Within the framework of contractual and other legal relationships, due to legal obligations, or otherwise on the basis of our legitimate interests, we offer affected persons efficient and secure payment options and use service providers in addition to banks and credit institutions (collectively "payment service providers"). Payment processing is carried out exclusively via encrypted connections in accordance with the state of the art, so that the data entered is protected against unauthorized access during transmission.
The data processed by payment service providers includes master data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract, amount, and recipient-related information. The information is required to carry out transactions. However, the data entered is only processed and stored by the payment service providers. This means that we do not receive any account or credit card-related information, but only information with confirmation or negative information about the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit agencies. This transmission serves the purpose of identity and credit checks. We refer to the terms and conditions and privacy notices of the payment service providers for this purpose.
The terms and conditions and privacy notices of the respective payment service providers apply to payment transactions, which can be accessed within the respective websites or transaction applications. We also refer to these for further information and assertion of revocation, information, and other data subject rights.
Further notes on processing processes, procedures, and services:
Stripe: Payment services (technical connection of online payment methods); Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://stripe.com; Privacy policy: https://stripe.com/de/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).
We process data of our contract and business partners, e.g., customers and interested parties (collectively referred to as "contract partners"), within the framework of contractual and comparable legal relationships as well as associated measures and with regard to communication with contract partners (or pre-contractually), for example, to answer inquiries.
We use this data to fulfill our contractual obligations. This includes in particular the obligations to provide the agreed services, any update obligations, and remedies for warranty and other performance disruptions. In addition, we use the data to protect our rights and for the administrative tasks associated with these obligations as well as business organization. We also process the data on the basis of our legitimate interests both in proper and business management and in security measures to protect our contract partners and our business operations from abuse, threats to their data, secrets, information, and rights (e.g., for the involvement of telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Within the framework of applicable law, we only pass on contract partners' data to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contract partners are informed about further forms of processing, for example for marketing purposes, within the framework of this privacy policy.
Which data is required for the aforementioned purposes, we inform contract partners before or in the context of data collection, e.g., in online forms, by special marking (e.g., colors) or symbols (e.g., asterisks, etc.), or personally.
We delete data after the expiry of legal warranty and comparable obligations, i.e., generally after four years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal reasons of archiving (e.g., for tax purposes usually ten years). Data disclosed to us by the contract partner in the context of an order is deleted in accordance with the specifications and generally after the end of the order.
Further notes on processing processes, procedures, and services:
Online shop, order forms, e-commerce, and service fulfillment: We process our customers' data to enable them to select, purchase, or order the chosen products, goods, and associated services, as well as their payment and provision, delivery, or execution. If necessary for the execution of an order, we use service providers, in particular postal, freight, and shipping companies, to carry out delivery or execution to our customers. For payment processing, we use the services of banks and payment service providers. The required information is marked as such in the context of the order or comparable purchase process and includes the information required for delivery, provision, and billing as well as contact information to be able to hold any consultations; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
When contacting us (e.g., by mail, contact form, email, telephone, or via social media) and in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to answer contact inquiries and any requested measures.
Contact form: When contacting us via our contact form, by email, or other means of communication, we process the personal data transmitted to us to answer and process the respective request. This usually includes information such as name, contact information, and, if applicable, other information that is communicated to us and necessary for appropriate processing. We use this data exclusively for the stated purpose of contact and communication; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.
The measures include in particular ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, transmission, ensuring availability, and their separation. Furthermore, we have established procedures that ensure the exercise of data subject rights, deletion of data, and responses to data threats. Furthermore, we already consider the protection of personal data in the development or selection of hardware, software, and procedures in accordance with the principle of data protection by design and by default.
Securing online connections through TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is signaled by the display of HTTPS in the URL. This serves as an indicator for users that their data is being transmitted securely and encrypted.
We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are revoked or there are no further legal bases for processing. This affects cases in which the original processing purpose no longer applies or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require longer retention or archiving of data.
In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.
Our privacy notices contain additional information on the retention and deletion of data that applies specifically to certain processing processes.
If there are multiple specifications for retention period or deletion deadlines for a date, the longest period is always decisive. Data that is no longer stored for the originally intended purpose but due to legal requirements or other reasons, we process exclusively for the reasons that justify their retention.
Retention and deletion of data: The following general periods apply to retention and archiving under German law:
3 years - Data that is required to take into account potential warranty and damage claims or similar contractual claims and rights as well as related inquiries, based on previous business experience and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).
6 years - Other business documents: received commercial or business letters, reproductions of sent commercial or business letters, other documents insofar as they are relevant for taxation, e.g., hourly wage slips, operating cost allocation sheets, calculation documents, price labels, but also payroll documents insofar as they are not already booking documents and cash register receipts (§ 147 para. 1 no. 2, 3, 5 in conjunction with para. 3 AO, § 257 para. 1 no. 2 and 3 in conjunction with para. 4 HGB).
8 years - Booking documents, such as invoices and cost receipts (§ 147 para. 1 no. 4 and 4a in conjunction with para. 3 sentence 1 AO as well as § 257 para. 1 no. 4 in conjunction with para. 4 HGB).
10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet as well as the work instructions and other organizational documents required for their understanding (§ 147 para. 1 no. 1 in conjunction with para. 3 AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 in conjunction with para. 4 HGB).
Period start with end of year: If a period does not start explicitly on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the period-triggering event occurred. In the case of ongoing contractual relationships in which data is stored, the period-triggering event is the time of effectiveness of termination or other termination of the legal relationship.
Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which result in particular from Art. 15 to 21 GDPR:
Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to request information about this data as well as further information and a copy of the data in accordance with legal requirements.
Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the rectification of incorrect data concerning you.
Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request that data concerning you be deleted immediately, or alternatively, in accordance with legal requirements, to request restriction of processing of the data.
Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request its transmission to another controller.
Right to revoke consent: You have the right to revoke given consents at any time.
Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data concerning you violates the provisions of the GDPR.
We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require an action on your part (e.g., consent) or other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and we ask you to check the information before contacting us.
Created with free Privacy Policy Generator.de by Dr. Thomas Schwenke